One Billion Yahoo Accounts Still for Sale, Despite Hacking Indictments

Image

Brian Stretch, the United States attorney for the Northern District of California, announced criminal charges this week against four men officials say were responsible for a 2014 breach of Yahoo’s systems.CreditCreditBrendan Smialowski/Agence France-Presse — Getty Images

SAN FRANCISCO — For sale: one billion Yahoo accounts, $200,000 or best offer. The passwords don’t work, but the dates of birth, telephone numbers and security questions could still be useful to an adept cyberthief.

After federal prosecutors unsealed indictments this week against four men they say were responsible for a 2014 intrusion into Yahoo’s systems that affected 500 million user accounts, data on one billion accounts — stolen in another attack on the company a year earlier — appeared to remain available on underground hacker forums on Friday.

The authorities were tight-lipped about their investigation of the 2013 attack, which is the largest known breach of a private company’s computer systems. The 2014 hacking of Yahoo’s servers is the second largest.

“We’re not willing to comment right now if there is a connection between the two investigations,” Malcolm Palmore, who oversees the Federal Bureau of Investigation’s cybersecurity division in San Francisco, said on Wednesday in a brief interview after the government unveiled the indictments.

But the two attacks share some common characteristics and may be linked in some fashion.

Both of them involved highly skilled Russian hackers, according to cybersecurity experts who have studied the attacks. In both cases, the hackers had links to the Russian government. And in both cases, at least some of the data was used to send spam to Yahoo users.

Alexsey Belan, the technical expert who was charged with breaking into Yahoo’s systems in 2014 at the behest of two Russian intelligence officers, has a long record of cybercrime.

In 2012, he was indicted on three felony charges for hacking the computer systems of Zappos, the online shoe retailer owned by Amazon, and stealing information on as many as 24 million customers.

In 2013, Mr. Belan struck again, hacking into Evernote and Scribd, two digital document storage services, according to a federal indictment filed against him that June. Law enforcement authorities arrested him in Greece later that year, but he posted bail and fled to Russia.

Cybersecurity experts who have studied the incidents say the 2013 attack on Yahoo was most likely carried out by a different person. InfoArmor, an Arizona cybersecurity firm, has attributed it to a group of cyberthieves it calls Group E. That group sold the entire database at least three times, including once to an entity that InfoArmor believes was connected to the Russian government.

The indictment against Mr. Belan filed this week is vague about how he and his three co-conspirators gained access to Yahoo’s systems.

Alex Holden, founder of Hold Security, a cybersecurity firm, said one prevailing theory in the industry was that Mr. Belan capitalized on the earlier breach. He said the person or people behind the 2013 intrusion probably sold, traded or were forced to share their access to Yahoo’s systems with Russian intelligence services. The two Russian intelligence agents indicted in the 2014 breach are accused of using that access to conduct their own spying operation with the assistance of Mr. Belan and another conspirator in Canada.

The Russian government has strenuously denied any involvement in any hacking of Yahoo’s systems.

Yahoo declined to comment on Friday, but pointed a reporter to a December statement about the 2013 attack. In that statement, the company said it had not been able to find the intrusion but that it was “likely distinct” from the 2014 one.

A spokeswoman for the F.B.I. declined to comment on Friday.

But during a briefing with reporters in San Francisco on Wednesday, F.B.I. officials said the intrusion into Yahoo’s systems appeared to have begun with a spear-phishing attack, in which a Yahoo employee was tricked into disclosing information that allowed the attackers in.

Although Yahoo security officials noticed a breach in 2014, they initially believed it was limited in scope, according to securities filings made by the company. Senior executives were aware of the attack in 2014 but failed to recognize its significance, the company said.

Yahoo publicly disclosed the 2014 breach in September. It disclosed the larger, 2013 attack in December and forced all affected users who had not already done so to change their passwords.

The database of one billion accounts was on offer for $200,000, which Mr. Holden, the Hold Security founder, called “an exorbitant amount of money.” The asking price for a single address is $10,000.

The sellers claimed to have continued access to Yahoo’s systems. But when Mr. Holden, posing as a buyer’s representative, asked them to prove their access by giving him data about two new accounts, they could not do so.

Yahoo, for its part, has said that the security holes exploited by the hackers have been patched up.

The two attacks had threatened a $4.8 billion deal that Yahoo struck last summer to sell its internet businesses to Verizon Communications. Verizon sought to cut $925 million from the original selling price, but the two companies agreed last month to a $350 million reduction.

Matthew Rosenberg contributed reporting from Washington.

Follow Vindu Goel on Twitter @vindugoel.

A version of this article appears in print on , on Page B1 of the New York edition with the headline: Charges Don’t End Sale of Yahoo Data. Order Reprints | Today’s Paper | Subscribe